Microsoft has released the public preview of a new Azure Active Directory tool that will help admins kill off bad passwords in the enterprise.
The tool, called Azure AD Password Protection, offers a new way of protecting Azure AD and Windows Server Active Directory accounts from users with bad password habits.
The tool contains a list of 500 of the most commonly used passwords and helps blocks a million more that contain character-based variations on these bad passwords. That means since ‘password’ is already blocked, users won’t be able to set their password to ‘P@ssword’ or ‘P@$$w0rd’.
Microsoft argues that Azure AD Password Protection will “dramatically lower the risk” of being compromised by a so-called “password spraying” attack.
Password spraying is designed to get around ‘rate limiting’, where a system caps the number of attempts to log in to a single account before locking it down.
Instead, the attacker uses common passwords like ‘Password1’ against many accounts with the knowledge that a small percentage will be secured with these passwords.
The US Compute Emergency Readiness Team, or US-CERT, posted an alert in March about password spraying attacks, confirming this was the technique used by the nine Iranian nationals who the DOJ indicted for allegedly hacking 8,000 professor email accounts at 144 US universities, as well as accounts at the US Department of Labor, the United Nations, and the Federal Energy Regulatory Commission.
The hackers, working for Iranian firm, the Mabna Institute, allegedly stole 31.5 terabytes of research and other data, which they passed on to the Iranian Government’s Islamic Revolutionary Guard Corp.
US-CERT noted that password spray attacks often target single sign-on (SSO) and cloud-based applications that use federated authentication protocols.
Compromising a few select accounts allow the attackers to acquire a large email list to spray, and use the compromised access to move around a network using RDP and then exfiltrate data via FTP.
Shortly before the indictments were announced, Microsoft also posted a warning about password spray attacks and provided Azure AD customers with information about tools to mitigate them.
Microsoft argues that the banned passwords approach is superior to password complexity rules, such as requiring multiple character types, which users often respond to by picking a password with a capital at the front followed by a few number-alphabet substitutions.
Also, requiring users to change passwords periodically often leads to users picking easy-to-remember passwords based on sports teams and so on.
“Today’s public preview gives you the ability to do this in the cloud and on premises — wherever your users change their passwords — and unprecedented configurability,” writes Alex Simons, director of program management at Microsoft’s Identity Division.
The one catch is that Azure AD Premium Password Protection is limited to enterprise subscribers on the Azure AD Premium 1 tier.